Hello there, I'm the Chief Cupid Officer at Readibots, here to take you on a romantic journey through the world of Identity and Access Management (IAM). Just like in any epic love story, our tale has its twists and turns, but fear not, it ends with reignited passion!
Once upon a time, in the digital kingdom, we all fell madly in love with IAM. It was the perfect partner: charming, helpful, and making life easier. We were smitten, spending our days dreaming of endless possibilities and seamless security. It was a match made in tech heaven.
But as in many marriages, life threw us a curveball. The Enron scandal and its aftermath brought in a new era of compliance and governance. Our beloved IAM, once the symbol of freedom and efficiency, began to feel like a tedious chore and morphed into Identity Governance. The sparkle faded, and the relationship with IAM and IGA felt more like a ball and chain than a joyful union.
Just when we thought the romance was gone for good, Readibots entered the scene, like a relationship guru armed with Cupid's arrow. We looked at the world of IAM and said, “Let’s rekindle this love” With Identity Automation. We were not here to add to the pile of mundane tasks; we were here to sweep them away.
For those who hadn’t experienced the joys of IAM and only experienced the challenges, Readibots identity automation was like a first love – exciting, new, and full of possibilities. We made the daunting joiner-mover-leaver process a dance of joy, automating them with a grace that would make even Cupid envious.
And for those in the midst of a strained relationship with IGA, we brought a fresh perspective. We didn’t just patch things up; we transformed the relationship. By connecting systems and automating the manual workloads, we turned the tedious into the terrific.
As your Chief Cupid Officer, I invite you to fall in love with IAM all over again. With Readibots Identity Automation, the romance is not only back; it’s better than ever. This Valentine's Day, celebrate a renewed passion for digital security and efficiency, proving that true love can indeed be rekindled, even in the world of technology.
According to some recent research by our friends at One Identity, only 8% of companies have fully automated provisioning processes and 70% rely upon manual operations for joiner / mover / leaver events. Yet, despite many downstream manual processes, many organizations feel they’ve ticked the IGA checkbox.
Let’s start with critical systems: these are well covered by IGA’s and usually fully automated. Next comes the legacy and specialized systems: these generally aren’t automated by the IGA - these get sent to the service desk for fulfillment. Finally, there’s the operational, non-account management workflows that are generally manual: creating a badge, provisioning a phone, ordering business cards, etc.
From the IGA team’s perspective, it’s completely automated. An HR event occurs, which creates a downstream sequence of events. The IGA team has done well. It’s all integrated and flowing.
From the business perspective, the picture is very different. It is not automated, nor is it fully orchestrated. People are manually processing tickets at a huge cost. The business doesn’t have visibility into the process, its state and/or exceptions until problems arise. It’s difficult to direct staff to address problems that are not visible. HR often has some visibility into the challenges, but they don’t own the processes. This disconnect is costing the business in many ways.
Specialized systems are typically very costly to integrate into IGA. Custom connectors have to be built and the cost is often seen as excessive, so the organization lives with manual processes. The IGA calls for provisioning and a ticket gets created where a system owner gets flagged to create the account through a legacy interface. There’s no off-the-shelf connector and the cost to create one is prohibitive - especially when considering the number of these systems that linger. Some orgs will rationalize that these systems are going away soon, but they often continue to linger for years.
If the organization has chosen a latest-greatest IGA, then many mainstream cloud apps will be covered. Most cloud vendors support SSO, but not always with the org’s SSO provider. The business will often demand access to specialized cloud apps where connectors don’t exist. These apps are especially problematic as SSO is your best line of defense for cloud apps during terminations. Without SSO, an exiting user may access the cloud app for days until a ticket is manually processed. Many of the older IGA’s lack cloud app connectors leaving the business in a difficult position. Live with manual operations or rip and replace the in-place IGA.
IGA’s are getting better in this department but there’s still quite a gap for many organizations that requires a lot of custom scripting in their ITSM. This is costly development. ITSM vendors charge dearly for these automations and ongoing maintenance is problematic.
Then there’s the business processes (business cards, phone, badge, etc) which are just accepted as being manual operations - nothing that can be done. So the organization just accepts it and lives with the inefficiencies, often without realizing just how much it’s costing and compromising the agility of the organization.
So, what’s the cost?
Onboarding is slower than it should be and it’s not completely reliable. Ever had an employee start and on day one they don’t have a phone, badge or worse, a computer? HR people will attest to this problem. Human beings are fallible and that means the processes are likewise subject to exceptions.
With manual processes the key stakeholders like hiring managers don’t have visibility into process exceptions. With insight, they could have rectified an exception without business impact but instead suffer embarrassing process failures.
This one is a security issue. When there’s an emergency departure, IGA systems often can’t respond in a timely manner. Further, the downstream processes are all manual. Orgs have relied upon the perimeter and SSO to ensure that an account is disabled, but most experts agree that many back-doors remain open for days, or longer after a termination. With emergency terminations, significant damage can be done during this gap.
An organization is nothing without its people. These are the people that drive it forward, make it competitive, they innovate, they invent, they are loyal. Yet, these are the people that an org has processing thousands of tickets each month; grunt work - a perceived necessity. By automating the massive backlog of tedious repetitive tickets, employee retention and satisfaction give an organization a competitive edge.
That new star sales executive starts and can’t login. A customer list is stolen because an account didn’t get shutdown. A new engineer starts and doesn’t have a computer. A manager can’t access her Microsoft Teams resources because the assignment failed and wasn’t detected. There are countless cases that most organizations have suffered. They collectively create a state of disruption at a huge cost to the business.
The READI Identity Automation platform enables an organization to easily integrate all of their systems into their IGA workflows. Based on a low-code automation platform, universal connector technology, and seamless REST integration, organizations can quickly and easily extend their IGA reach into all systems - closing the gap for all joiner / mover / leaver events. It’s never been faster or easier to achieve and manage full automation.
Identity Automation brings orchestration and exception alerting to the manual processes. While warm bodies and tickets and may still be required, Identity Automation can orchestrate, track and ensure that things get done so that exceptions are caught and resolved, avoiding business impact. The hiring manager always retains visibility into the state of their hire. When things go off the rails, as they sometimes do, the key stakeholders immediately get alerted.
There’s no better proof than real-world results. One of our enterprise customers with over 100K employees eliminated the manual labor of 13 IT staff and reduced their onboarding SLA from 72 hours to just 4 hours. The process which involves over 40,000 weekly operations is visible in a dashboard that allows them to monitor all operations (automated and manual) along with SLA metrics and obtain early warning of any problems. In only 9 months, a calculated direct ROI of approximately $1,000,000. The 13 staff have been re-provisioned into strategic digital transformation projects; not previously possible. By closing the identity gap, the organization avoided additional hiring. With one initiative, they retained and repurposed valuable staff and improved overall employee satisfaction with both the IT technical staff and the business stakeholders.
Getting started is easier than you think. The Readibots team and our trusted partners are here to help. The Readibots advisory service is designed to assist with as much of the workload as an organization would like. From onboarding and training to full implementation, the READI team will provide a professionally managed experience.
IT shops are typically complex and managing an array of moving parts. Keeping identities provisioned, licensed and secure, involves endless touch points. There’s the basics of ensuring that people in roles have access to the right applications, but most organizations quickly find that they still have a lot of gaps even after they deploy and configure a well-known IGA software product
. IT professionals quickly discover, many applications aren’t covered, data still needs to be managed, recertification campaigns need to be kicked off at the right time, self-service needs to be implemented. There are literally hundreds of these scenarios. Buying an IGA was just the beginning. Many IT shops decide that solving the problems is either beyond the abilities of their IGA, or requires a tremendous amount of costly custom development. This in turn, creates a new problem of documenting and maintaining custom code.
Not sure about this? Take the Random Acts of Identity Automation Quiz with your team:
If any of these 10 questions make you take pause, then a serious team discussion is warranted.
wo choices remain:
1. Automate or
2. Send it the ITSM and manually fulfill
The manual fulfillment option is the obvious choice and gets the job done but it’s error prone, slow, and very expensive. Often, only the most painful of these tasks will get automated.
Many organizations will pursue a path that we refer to as Random Acts of Automation. When the pain becomes unmanageable, someone decides to write a script to address the problem. With an immediate win, another isn’t far behind. Then another, and it continues. Virtually every IT shop has these. Random scripts that “do something” that “someone wrote”, put on a server, and scheduled to run at certain points in the day.
Let’s be clear…these scripts can offer great relief. They are a quick fix to a problem(s) but they are the seeds of future problems.
In a nutshell… random scripts are NOT governed and likely not documented; and that is a major risk. Especially in a world where every organization is working to implement a governance model.
Scripts almost always run in an elevated, admin context, and they run against production systems and data. These scripts often wield greater power than the admins that wrote them. People move on. They forget. Departments evolve. Many orgs are shocked to find out the extent of their problem! Many of these scripts have been running for years and as long as the org is evolving, new scripts are likely being created to address new challenges. These scripts are prime candidates for a future breach!
How did we get here? “If it ain’t broke, don’t fix it.” There’s little desire to fix something that is working. These band aids get created, they work, the team moves on. Months later, the pain is long gone, and the band aid is forgotten. These build up. They are unmanaged, random, and therefore go undetected.
Awareness is key. Often, CISO’s aren’t aware that this is happening and so they are unable to govern it. Correcting this has to come from the top as part of a security initiative.
The old adage: you can’t manage what you can’t measure. Starts awareness. A scan of all target servers and workstations that are likely to have automation scripts is a good start. Identify the potential sources; you might be surprised what you actually find.
Next, look for the low hanging fruit: are there embedded credentials? Is this running in an admin context. Get these ones identified and on the action list.
The next step is taking measured action. To solve this, scripts will need to be co-located in a common repository where there’s some access governance. Scripts can be moved to folders, code signed, and credentials pulled from a vault. This is a big step forward, but still many controls remain missing. The organization will need to assign a capable script author and create a thoughtful implementation plan.
How will we handle auditing? How will we ensure that a script cannot be changed? How will we know if it has been changed? How will we implement SOD? For these kinds of controls, typical of an ISO27001 shop, the bare-knuckles approach to identity automation becomes very complicated.
This is one area where products like ServiceNow have made their mark. They provide a very sophisticated, managed environment for identity automation. It’s one of the greatest things about ServiceNow beyond their ITSM services. A move in this direction, is an evolution beyond Random Acts of Automation. Everything is centralized, governed, secure and audited.
But not everyone needs or wants ServiceNow. There are many ITSM products and if you’re already a user of one of them, it likely isn’t feasible to make the switch to ServiceNow.
That’s where Readibots Identity Automation comes in. Like ServiceNow, The READI platform is designed specifically for IT automation. Readibots offers IT shops a choice – a cloud-based automation platform that is technology agnostic. The READI platform is agile, cost effective and integrates seamlessly with any IGA solution (SailPoint, Oracle, IBM, MicroFocus, Saviynt and others) and any ITSM solution (ServiceNow, Cherwell, BMC, Freshdesk, SolarWinds and others.) With the READI platform, you get secure, governed automation at a fraction of the cost.
The READI Platform provides management and governance over scripts which already exist as well as providing a platform for you to build more with governance. As a bonus, Readibots has a free assessment tool that will help organizations discover their scripts and identify the highest risks. In only a few hours, scripts can be cataloged, risk ranked, and if desired, migrated into the READI platform where they will become governed as part of a greater automation strategy.
As we wrapped up 2023, I've been contemplating the dynamic shifts in IAM. It’s been a year full of challenges, learning, and significant evolutions in our approach to IAM.
This year, there's been a notable trend of returning to the basics of IAM, especially as workforce dynamics have transformed with more remote and hybrid work models. The increased identity sprawl demanded a more unified approach to IAM. Companies sought identity automation software in the Joiner-Mover-Leaver processes to manage this new, fluid workforce efficiently and cost-effectively. It's been about striking that delicate balance between governance and operational agility .
2023 also threw us a curveball with a major security breach in a leading SSO provider. This incident was a stark reminder of the vulnerabilities in our security systems and the risks of over-reliance on external vendors. It prompted a vital discussion on adopting a diversified, multi-layered approach to security, especially crucial in an era where remote work has become the norm .
Another significant trend we observed this year was the accelerated move toward cloud adoption, which has had a profound impact on IAM strategies. As more companies migrated their operations to the cloud, the need for robust IAM frameworks became apparent. This shift necessitated a rethink of traditional IAM models, with a greater emphasis on zero-trust security models and cloud-specific identity controls. The challenge has been to maintain security without compromising the user experience in these complex cloud environments. As we've embraced the cloud's potential, it's become clear that our IAM strategies need to be as dynamic and flexible as the cloud itself .
And of course, the perennial challenge of resource allocation for IAM remained a central theme. Balancing the cost and effort of IAM projects against other organizational priorities has been a tightrope walk for many. The integration of AI and machine learning in IAM for better security and efficiency has been a ray of hope, suggesting a future where IAM is not just essential but also manageable within resource constraints .
So, there you have it! During 2023, the lessons we’ve learned are invaluable. From adapting to workforce changes and reevaluating our trust in security vendors to embracing cloud transformations in IAM, it’s been a year of significant growth and adaptation. Here's to 2024 – may it bring more stability, innovation, and maybe a bit more predictability in the world of IAM.
Until next time,
1. Elevate Security, "The Future of Identity and Access Management: 2023 IAM Trends". (https://elevatesecurity.com).
2. Atos, "2023 top trends for Identity and Access Management (IAM)". (https://atos.net).
3. Veritis, "Future Of Identity And Access Management: IAM Trends in 2023". (https://veritis.com).
In the heart of the North Pole, where the snow glistens and the aurora dances, Santa Claus faced a modern-day dilemma. With a growing list of suppliers, partners, full-time, part-time, and temporary elves bustling in his workshop, managing their identities had become as complex as navigating a blizzard. Traditionally, Santa relied on the Old Ledger, a massive book where the names and roles of every elf, reindeer, and supplier were manually recorded. But as the holiday rush intensified, the Old Ledger became a source of chaos. Elves were mistakenly assigned to toy-making instead of cookie-baking, and some temporary helpers still had access to the workshop long after the Christmas lights dimmed.
One frosty evening, a vendor from afar presented Santa with an identity management solution. It was grand and traditional. It was sold as a safe bet, a road well-travelled, promising to solve all his identity woes. But alas, it was rigid, complex, and far beyond Santa's humble budget. The vendor's system, while grand in its promises, was like a sleigh too rigid for the twists and turns of the North Pole's snowy paths. It required extensive and costly modifications to integrate with the existing systems in Santa's workshop. Some of Santa's oldest and most cherished systems, the ones that had been part of the workshop since its inception, were simply incompatible with this rigid solution. The thought of replacing these legacy systems was as disheartening for Santa as a Christmas without snow.
Just when Santa thought he'd have to face another chaotic Christmas, he discovered Readibots – a beacon of hope in the snowy North Pole. Readibots, with its magical identity automation, promised to streamline the provisioning of identities for all of Santa's helpers. It was like a sleigh guided by the brightest star, swiftly and accurately ensuring that every elf had access to the right tools and resources, and only for as long as they needed them.
With a snap of cold fingers, Readibots identity administration seamlessly integrated with every system in Santa's workshop, be it the ancient Enchanted Conveyor Belt or the latest Toy Assembly Line. Its adaptability was like the Northern Lights – brilliant and awe-inspiring, illuminating the path to a solution that was inclusive of all systems, old and new. Moreover, Readibots, true to its name, was READY. The Readibots team worked with the speed and precision of Santa's most skilled elves, ensuring that their solution would be up and running well before the first snowflake of the seasonal rush.
With Readibots, Santa's workshop was not only ready for the current Christmas but was also set for many more to come. The elves marveled at how smoothly everything ran, and Santa could finally relax, knowing that his workshop was now as modern and efficient as it was magical and joyful.
And so, with Readibots' flexible, adaptable, and timely solution, Santa's workshop entered a new era of efficiency and joy. The North Pole had never been brighter, and the Christmas spirit had never been stronger.
In the dark, eerie corners of the IT world, a ghostly figure looms large - the phantom of failed IGA projects. With a spine-chilling 70% failure rate, as whispered by the crypt-keepers at IBM (IBM's Book of Dark Arts), this specter leaves organizations trembling in fear of security breaches and non-compliance nightmares. But fear not, for Readibots is here with its potion of solutions to banish these ghouls!
The Restructuring Ritual: Many IGA platforms cast a spell, forcing companies to dance to their haunting tune. This disruptive dance can lead to resistance from the living and the undead alike.
The Ghosts of Legacy Systems: Traditional IGA solutions often turn a blind eye to the spirits of legacy on-prem systems, leaving a graveyard of exposures.
The Cloud/On-Prem Conundrum: Organizations are often trapped in a witch's dilemma: to choose the cloud or to remain on-prem. This binary brew can spell doom, especially if the organization's needs shift like shadows in the night.
The Petrifying Lack of Flexibility: Organizations are like werewolves, constantly changing with the moon. The IGA solution must transform with them, or risk being left in the dark.
The IT Staff's Labyrinth of Despair: Many IGA solutions conjure tasks, sending them to the service desk's underworld. Without magical automation, IT staff can become lost souls, overwhelmed by manual tasks.
Without a modern IAM potion, businesses can face a haunted path:
The Time-Consuming Curse: Manual IAM processes can drain the life out of any organization.
The Labyrinth of Poor User Experiences: Without a guiding light, user experiences can become a maze of horrors.
The Skill Gap Specter: Organizations might lack the magical skills needed to deploy modern IAM solutions.
The Dungeon of Technical Debt: Monolithic customizations can trap organizations in a never-ending cycle of debt.
The Zombie Apocalypse of Reduced Innovation: Without the right IAM elixir, employees might become innovation zombies.
Moreover, the cauldron bubbles with rising costs, especially for enterprises lacking a modern IAM spell book. The 2020 Ponemon Book of Shadows reveals that the most fearsome insider threat is the theft of credentials. These dark incidents have risen from the grave, with the average cost of each curse reaching a blood-curdling $871K+ in 2019 (2020 Ponemon's Book of Shadows).
In the haunted library of IBM, a forbidden tome by Forrester Consulting (Forrester's Forbidden Tomes) unveils the ROI of a modern IAM potion:
86% reduction in costs to onboard an IAM spell onto the public cloud.
$1.9M three-year treasure trove of labor cost savings.
96% reduction in the hours spent chanting maintenance spells for IAM software and hardware.
$323K three-year value of time saved from the clutches of the underworld.
Readibots, the fearless vampire hunter of the IGA realm, offers salvation:
The Shape-Shifting Solution: Readibots morphs around a company's existing rituals, ensuring a smoother exorcism of IGA challenges with Identity Automation.
The All-Seeing Eye: Readibots sees both the spirits of legacy on-prem systems and the wraiths of modern cloud solutions.
The Flexibility Elixir: Readibots' potion adapts to your needs, whether you're a creature of the cloud, an on-prem phantom, or a hybrid horror.
The Automation Amulet: Readibots' charm automates repetitive tasks, freeing IT staff from the chains of the crypt.
The Growth Grimoire: As your coven evolves, Readibots stands by your side, ensuring your IGA spells are always potent.
In the shadowy realm of IGA, ghouls and ghosts abound. But with the right spells, potions, and a touch of Readibots Identity Automation magic, organizations can navigate the haunted hallways of IGA with confidence and flair. So, this Halloween, while you enjoy your tricks and treats, remember that the real magic lies in mastering IGA with Readibots!
While most IGAs won't admit it, we see it every day... IGAs fundamentally do not believe that *your* business logic matters. Every organization is unique, and every organization has, for better or worse, their own way of doing things when it comes to provisioning, managing and deprovisioning identities. In other words, the organization's business logic matters. IGAs are built on a rigid set of inflexible concepts like schema mappings and connectors. This requires organizations to adjust or alter their own established process and adjust to the needs of the IGA and how the particular IGA functions.
So, if IGAs are too rigid to handle the complexity of modern processes, what’s the answer?
Enter Readibots. With Readibots there are no such limitations. Readibots embraces “business logic matters”in the Enterprise. The READI platform does not prescribe how identity management should be configured or fulfilled, the Readibots platform molds itself to the organization's specific requirements, regardless of how complex or detailed. It even takes this a step further by supporting full co-existence with an established IGA. This makes it possible for the IGA to do what it does best and then simply hand off the detailed work to a bot in Readibots.
How does Readibots do this? By putting full bot control into the hands of the customer as a fully open platform.
Visit Readibots.com to learn more.
If business logic matters for Identity Management in your organization, sign-up for your own Readibots tenant in minutes and support true IGA automation immediately.
Challenges around Identity Governance are one of the many reasons clients seek out Readibots. They have a current Identity Governance solution, but there are many disconnected applications even after implementation. Prior to Readibots, their feeds come through CSV files instead of a direct connection and the fulfillment/remediation for identities is through service desk tickets. This leads to very manual processes for both the identity teams and service desk.
Readibots solves this challenge by connecting natively to the application, converting the data to a common format and providing the feed to your IGA solution of choice automatically. Customers are able to perform their compliance reviews as usual through their IGA solution. With Readibots, the IAM team is able to avoid escalations to the Service Desk and instead, fully automate fulfillment, access reviews, and remediation processes. All processes are centrally governed and auditable.
With Readibots, streamline identity governance and focus on what truly matters to your business.
There is no denying that Identity Governance and Administration is a complex and real business requirement. If your organization is like most, you have probably researched and/or implemented an Identity Governance and Administration (IGA) solution.
Unfortunately, many IGA solutions require organizations to compromise business processes; they get reshaped to operate within their software’s boundaries. That usually means that IAM groups have to rework many processes, define an extensive set of roles, and re-think how to get things done. They have to conform to their IGA’s way of doing things before they can move forward.
Every organization is unique. Some will fit the standard IGA model, others won’t. Some can’t or don’t want to change their business processes to fit an IGA solution. The 80/20 rule and more importantly the 20/80 rule is very real in this market. While IGA solutions are very good with 80% of requirements, the unique processes within most companies that do not fit neatly into the IGA solution, will consume 80% of their resources.
There are other challenging scenarios like centrally governed conglomerates with independently operated branches and rapid growth through M&A. Then there’s technical challenges such as a lack of connectors for your systems and home-grown custom processes that companies consider a business advantage. Whatever the case, if an off-the-shelf IGA doesn’t fit, a company will often fall back to inefficient manual provisioning and deprovisioning of identities; a costly and risky place to be. Many organizations are stuck and don’t know where to go with this.
Can the need for IGA be addressed with a different approach? Can the gaps between unique business processes and IGA software be managed more effectively?
Yes, with Identity Automation!
Identity Automation is all about automation of existing processes and systems. It’s a highly pragmatic approach where the mission is to automate, not renovate. The goal is to eliminate manual labour, streamline processes, and get it done quickly. For complex organizations where an off-the-shelf IGA doesn’t fit, Identity Automation is a tactical approach to eliminate workload, improve efficiency, reduce risk … and do it with existing processes. While IGA implementations will often take in excess of one year to implement, Identity Automation can be implemented in stages with real benefits realized in only the first few weeks. With Identity Automation, organizations realize many of the benefits of an IGA implementation while retaining their existing processes.
Back in the early days of identity management, it was all about automation. Success was measured by how many identity systems you could manage, how quickly you could make changes, and how much of your identity lifecycle you could automate. Battles raged between vendors, some started by me, based on the ease of automation, the scalability between platforms, and overall efficiency gains. Then came a great disturbance in the force, Enron, and the resulting slew of regulations such Sarbanes-Oxley Act (SOX) and its cousins around the world. Organizations, and regulators alike, saw that identity governance was critical to avoid scandals like Enron from being repeated.
At first there was a balance between the automation and governance side. Existing leaders who specialized in the automation space (provisioning as it was called) began adding more advanced governance features such as roles, separation-of-duties, compliance packs, risk assessment, along with many others. New governance focused companies popped up as well, less about automation, and more about insight, access certification, and providing the business with information in flashy new dashboards. The new governance first vendors offered only token levels of automation preferring to rely more on ticketing and integration with organizations ITSM's. Enter the age of "pass-the-buck automation". (I'll write more about this not-so-wonderful thing in a later blog)
With this said, let me clear something up, I do believe that governance is vital. There is nothing wrong with a governance first approach if the work gets done quickly and correctly. Sadly, that is not the results that identity leaders see. In my career in the identity space as a vendor, consultant, and analyst, I find time-and-time again that as more identity lifecycle tasks get passed to the ITSM to fulfill, the time to completion increases. From a business perspective, this is a productivity issue as people wait, and wait, and wait for things to get done. From an IT perspective this is an efficiency issue as valuable staff are focused on doing the mundane instead of focused on driving value through transformation. Lastly, from a security perspective, it’s a risk as threat windows are left open for longer than necessary due to the lack of rapid and repeatable automation. Without automation, governance is just expensive reporting that requires the execution of a huge number of manual tasks, without consistency and accuracy. To sum it up, governance without automation is a bad idea.
At the end of the day identity automation is just as important as identity governance. Automation ensures that the investment someone makes in governance is made real without delay, without error, but without governance there would be nothing to base automation on. Unfortunately, organizations today must choose between automation and governance when selecting an IGA. Don't believe me, take a look at Gartner's research on the Critical Capabilities for Identity Governance and Administration. As you peruse the document you get the "Use Cases" section and what do you find? A choice between governance and automation. Why? Because most IGA's have convinced the world that pass-the-buck automation is equivalent to REAL identity automation. That you can't have one without the other.
So, what is an organization supposed to do? Perhaps your organization has invested a great amount of time and money into your IGA, or have complex processes built on an ITSM for governing identities and have been told that your IGA is dead, and you need to move to a new IGA or some new identity platform. (Incidentally, these identity platforms probably have even less automation capability than IGAs) Do you need to change your technology and processes? Fortunately, no you don't. The secret is to extend the identity automation capabilities of your IGA and ITSM not replace them with something new.
Don't believe the hype from IGA and ITSM vendors, you shouldn't have to choose between identity automation or governance. The READI platform has proven that its possible to get the automation you need without ripping-and-replacing technology or changing your processes. You learn more on the Readibots website, or download the READI Platform datasheet.
We have a theme emerging when speaking with prospects, Identity Governance products contain many more features than they need which makes them very expensive for the business problem the prospect is trying to solve. Most companies simply need relief from manual provisioning and deprovisioning, not a full-scale Identity Governance and Administration (IGA) solution.
The READI Platform allows customers to automate provisioning and deprovisioning, transforming manual into automated in only a handful of weeks. Additionally, to perform specific user access reviews and preserve these certifications in their records.
At Readibots, we align our solutions to our customers unique needs, ensuring they only pay for the features used. With Readibots, streamline your identity governance and focus on what truly matters to your business.
With Readibots, streamline identity governance and focus on what truly matters to your business.
Identity and Access Management (IAM) is a crucial aspect of cybersecurity, and it's essential for organizations to have an effective solution in place. However, many companies have found that traditional IAM vendors, such as SailPoint and Saviynt, are extremely expensive and take a long time to implement. The implementation costs for these vendors are typically 3x the purchase price and can span over 2-3 years, which can be a significant financial burden for companies and make it difficult for them to see a return on their investment. In today's turbulent economic climate, companies are looking for more cost-effective and efficient solutions that can return value quickly.
One of the biggest issues with traditional IAM vendors is that they often promote advanced features that most companies never end up using. These vendors tend to have a one-size-fits-all approach, which can lead to companies having to restructure their processes and even abandon the IAM platforms in search of something more flexible.
Readibots and the READI Platform offer a more flexible and efficient alternative to traditional IAM vendors. With the READI Platform, implementation is fast and flexible, allowing companies to tailor their IAM solution to their specific needs. This is a bit like a tailored suit, which is custom-made to fit the wearer perfectly.
One of the key benefits of the READI Platform is that it's much more cost effective than traditional IAM vendors. The READI Platform delivers very fast implementations, with unparalleled flexibility, which can help companies save money and return value quickly.
In conclusion, traditional IAM vendors, such as SailPoint and Saviynt, can be extremely expensive and take a long time to implement. With high implementation costs, often 3x the purchase price and spanning 2-3 years, these costs can be a significant financial burden for companies. Many companies end up regretting their choice of big IGA because they have to restructure many processes and some even end up abandoning the IGA platforms in search of something more flexible. Readibots and the READI Platform offer a more flexible and efficient alternative that is much more cost-effective and can help companies save money and return value quickly.
We hear from our customers and prospects the challenges they are facing with their IGA implementations, the length of time they take and most importantly, the automation is not what they expect because they continue to overwhelm their operations teams with tickets. Automation and remediation through even the best IGA platforms are lengthy and costly. We hear from Analysts that most organizations with an IGA, only have 7-11 systems connected with complete automation (not creating tickets).
Readibots is helping these organizations with a cost-effective solution that is quick and easy to implement. One of our customers, Alorica went from complex requirements to production in 45 days with no changes to their business process or operations. Our cloud-based offering came with pre-packaged provisioning and deprovisioning bots that could be quickly customized to Alorica’s needs. Read more about Alorica here
Our Readibots team would love to have a conversation about helping your team with identity automation. .
First, let’s consider what a blind spot is. Any responsible executive that knows about their blind spot, no longer has a blind spot. So, keep an open mind here. Trust me, you have a blind spot.
I have talked with IT execs at all levels. These folks are not just responsible for a secure organization, they are liable. So, when we talk about blind spots, there’s generally some interest.
Next, I tell them … your IT team is managing the infrastructure using PowerShell. It’s the language of IT. PowerShell IS how you get granular control of systems, and it is how IT shops run. At that point, I get one of two blind spot responses:
In the 90’s, I sat with a number of enterprise IT pros in a group called “MECF – Microsoft Enterprise Customer Forum. We met quarterly at Microsoft Redmond campus to advise them on challenges using their software in the enterprise. Microsoft was emerging into the enterprise computing space and there was much to be learned. As early adopters of their technology, there was an ongoing need for feedback, most of it centered around challenges with administration of the systems. Microsoft was emerging out of the desktop space, and the only way to manage the infrastructure was either by mouse and keyboard, or as a developer with API’s. This made it exceedingly difficult for IT staff to manage their systems.
Over the following decade, Microsoft’s offerings became more sophisticated, but it wasn’t until 2006 when the Monad project evolved into PowerShell that enterprise administration came into its own. IT teams could now manage the applications using a command line and batch scripts, more the way a UNIX admin would.
Now, 15 years later, PowerShell has grown into an extremely capable scripting language. Almost every enterprise software and hardware vendor has exposed their product through PowerShell modules. It is the go-to tool for IT people to effectively manage infrastructures: hardware and software of all flavours.
So, when I hear someone say, “we don’t use PowerShell” I think, either you don’t understand the scope and use of PowerShell, or you have an IT team that has had their right hands cut off. It makes no sense.
Consider the above context. PowerShell talks to everything. It typically does it within administrative security contexts. It is used interactively at the command line, and extensively in batch mode with scripts that automate operations. It is a hacker’s dream. It has been exploited before, which has led many an organization to shut it down.
But herein is the confusion. PowerShell is shutdown at the user desktop, but not for IT staff. They can’t function without it. So, execs believe that it’s shut down, but it’s not. It’s alive and well. This is where the security blind spot comes in.
“PowerShell is almost never shutdown on domain controllers and servers - that is the main blind spot of concern. 100% guaranteed, they aren’t running it in signed-only mode with a code signing certificate. Organizations should review the active exploitations in the Mitre Framework via Powersploit ”Michael Howden, director of security services, Novacoast
Let me say this: PowerShell is ADMINISTRATIVE and UNGOVERNED – a dangerous combo. There is no auditing, no change log, little control over access, it encourages dangerous behavior like embedding credentials in script - it is a serious security risk which executives should immediately address. It is also a blind spot because execs believe that the problem has been resolved by disabling it at the end-user desktop.
Most organizations have dozens if not hundreds of scripts. Some used on demand, some on scheduled basis. Some live in Azure Runbooks. It’s all over the place. I have personally witnessed the most sophisticated of enterprise IT shops fail security audits because of this.
There is a solution. READI yourself – here comes the promotion
The READI Platform quickly identifies PowerShell scripts on your network, examines the script content for unsafe practices, ranks them for risk, and with minimal effort, moves them into their new secure, governed home in the READI Cloud Platform. It really couldn’t be easier to eliminate a major security gap.
Welcome a new, secure, governed, roles-based access method of automating with PowerShell. Auditors and security professionals can be provided reviewer access while admins can be provided “just enough” access to get the job done.
The READI Platform provides a cloud-based security and governance framework that enables enterprise customers to continue leveraging PowerShell automation while meeting infosec requirements. And best of all, it won’t break the bank. The READI Platform is an affordable and immediate solution that will have executives and board members thankful that a major gap has been identified and quickly closed.
Lock it down now with Readibots.com
Most orgs have less than 10 systems with complete identity lifecycle automation via their IGA. The rest get managed through tickets in their ITSM. I talked with one org recently that had over 200 applications! With 10 automated, that’s only 5% of their org automated.
The short answer is cost. IGA Connectors are either free (do almost nothing) or expensive; very expensive. Most are extremely limited. They are black box afterthoughts. Most only gather data and automate nothing. Connectors suck.
Some orgs turn to in-house solutions - PowerShell scripting can be an alternative low-cost solution. With a few days of effort, a consultant or internal developer can build a script to link a system. This can be seen as a win, avoiding the high costs of vendor-built connectors, getting the custom functions that are needed, and saving the org a lot of manual processing.
So much cost and effort to get that IGA deployed and now you’re either not finishing the job or you’re turning to PowerShell to get the job finished. One leads to costly manual labor, both lead to security and governance problems!
Let’s look at PowerShell. It’s the language of IT. It has matured over the last decade into a very competent way of managing systems, accounts, and everything else IT. Many orgs turn to PowerShell to help close the gaps. It can be a bit intimidating at first, but most admins become competent quickly. A large community of contributors and an abundance of vendor-built modules make it relatively easy to build automations for many systems on your network and cloud! Bottom line, PowerShell can get the job done at a low cost.
We need to revisit why you brought in an IGA in the first place? For most, the leading driver is governance and security. Ensuring that your peeps get just the access they need, no more, and that it gets pulled at the right time. IGA delivers the access controls, policies, and entitlements that can be reviewed, audited, certified. Considered a must in most orgs, it’s the heart of user access management.
These driving requirements are in direct conflict with the realities of using native PowerShell to automate the last mile of IGA. PowerShell is unmanaged, ungoverned, and grossly lacking security controls. Like most scripting environments, it is operating in an ungoverned privileged context. It is a high-risk path that will ensure a failed security audit. In fact, it is one of the leading reasons that people seek our help.
In a recent LinkedIn survey, we found that 54% of the PowerShell community respondents reported that Security and Governance was the number one limitation with PowerShell.
Far too many orgs are in the same boat. Tons of money spent, still only a fraction of their systems automated. There must be a better way! Our IGA experts agreed – there is a better way! With decades of experience in “what not to do”, it was time for reboot.
The way the industry does it is rooted in decades old thinking. So, what if you could have the low-cost, automate anything benefits of PowerShell but made simple, and in a governed, secure ecosystem, that made it exceedingly easy to connect the remaining systems to your IGA. What if you could finish the IGA initiative and remain low-cost? Would it be possible to realize the vision of a fully automated IGA? Pinch yourself ... you might be dreaming.
The READI Platform – the expert’s answer to the problem
The reboot finished and something came to life. With the motto, “our bots connect your dots”, our team solved the problem. Years of late nights, weekends, and caffeine addiction, but it’s here. The READI Platform is born.
A cloud-based, zero footprint design - Identity Automation as a Service is here. A slice of the future. An easy to use, low-code IGA connector language based upon the PowerShell that you know. Never get boxed in again. Designed for IT, not end-users - it is exceedingly powerful, READI for your most complex challenges, yet incredibly simple to use. Scaled for the rigorous demands of Fortune 100’s while simple enough for a progressive young company.
It’s never been easier, nor more cost effective to close the gap in your IGA. Create secure automated workflows that extend your IGA, your ITSM and your applications into seamless integrated systems.
If your business has been held back from IGA because your processes or org-structures don’t line up with IGA pre-requisites, then look no further. Join the growing number of companies that have discovered the READI Platform, the onboarding experience that offers immediate relief. Incredibly flexible – no reorg required.
For more information, see https://www.readibots.com
A recent survey done by One Identity showed that only 8% of companies have fully automated IAM processes. The result? Needless repetitive work being done by skilled people. When a manual business process can easily be automated, there is absolutely no justification to maintain the status quo.
Most organizations that I talk with have SLAs in place for their identity processes. The organization sets a performance threshold for joiner, mover, leaver (JML) events. It’s not surprising that most organizations measure this in hours – but, it’s not hours, it’s days. A 72hr SLA is really 3 days. This is a typical onboarding SLA for many organizations, and it’s considered normal. After all, there’s a lot of things that need to happen during an onboarding. Onboarding is complicated, time consuming and involves many manual tasks. In the digital age where we measure in milliseconds, where we strive to shave time for competitive advantage, many still accept IAM SLAs in days! But this is just a symptom of a greater problem and it’s costing your business – you’re just not seeing it.
You’ve made investments in IAM/IGA. The promise was to automate JML operations. If you ask your IAM team, they will give a thumbs up – “we’re good ... processes are well defined, roles are defined, we’re automated, we’ve got this covered.” But follow the processes and you’ll find that downstream, many are manually fulfilled. They’re automated from the perspective of the IAM team - because they aren’t doing the work! These processes result in a boatload of tickets created in your ITSM.
Diving deeper, we see that the org didn’t buy connectors for all the systems. Only the birthright and primary systems are connected. Most orgs have connected only 4 or 5 systems. It was too costly to buy connectors or have them custom built. So, for all these systems, we punt to the service desk. That’s the beginning of the problem. How many applications in your org? What’s in those applications?
When we dig into this, we find that those are the critical niche applications that contain the most sensitive of all data! Our CAD / CAM systems, our scientific data systems, research tools, developer tools, management systems … these are the tools that are used to create and deliver our products. They are the ones that are left in a disconnected, manually managed state.
Next, there’s a shift from on-prem to service-based cloud apps. Every org is going through this. It’s presenting a major problem for IAM teams. You’re likely in one of two camps: you have recently deployed IGA that is cloud based but can’t manage your on prem systems, or you have a legacy on-prem IGA that doesn’t talk with your new cloud apps. How is this resolved? More tickets to the ITSM for manual fulfillment.
Then there’s the operational tasks. Non-systems and facilities: business cards, telephones, computers, etc., etc. Every org has this and there’s a required workflow for all of this. Business cards can’t be printed until we know the email address and phone extension. So, how do we deal with this – more tickets, more manual fulfillment. In fact, a recent survey done by One Identity showed that only 8% of companies have fully automated IAM processes. A lot of repetitive work being done by skilled people, and we accept this as normal.
Today, you can order a package from Amazon. In seconds you get real-time confirmation followed hours later by a tracking link. You can see exactly where your package is at in near real-time, right up to the delivery at your door. Sign in later and you can see all past purchases. We have come to expect self-service and real-time visibility into most transactions. Now how does that compare with your IAM processes?
Can a hiring manager in your org do the same to see where a new employee onboarding is at? Do they get notified of success or exceptions? Can an IAM team see downstream exceptions in a dashboard? Do workflow exceptions generate actionable alerts? Can executives review onboarding metrics?
Identity apathy is visible when we consider that in most orgs, nobody knows that something went wrong until the hiring manager gets upset because a new employee shows up for work and something is wrong! Person can’t get signed in, or they didn’t get their badge, or a computer is delayed, and nobody knew about it. It’s all too common and orgs struggle with trying to fix it.
Some might ask, what’s the big deal? Most people don’t start until weeks after they sign, if it all gets done, what’s the problem? Hold this thought… still a few more things to consider.
So far, we’ve only talked about provisioning but most of this happens in reverse when a person leaves. Now your multi-day SLA is a threat window left open for days! For emergency exits, there’s seldom any ‘emergency’ reflected in the processes. Your HRMS is updated, and an HR event trickles down to your IGA – that can take many hours! A terminate employee is considered one of the greatest threats! What can a person do within a few hours of being walked out the door?
Let’s start from the bottom up. One of the number one reasons that I hear for stalled initiatives is resourcing. But wait a second … the people that are processing these tickets are the same people that could be moving your business forward. They could be driving your strategic transformations instead of doing the daily grunt work. Nobody took up a career in IT to process tickets, and they’re doing hundreds if not thousands of them every month. We saw one org with 13 full time staff processing IAM downstream tickets – over a million operations a year! Another fortune 100 processing over 1,300 tickets a month just supporting Microsoft 365 apps. There’s a huge hidden cost around employee dis-satisfaction. If you’re people aren’t happy, you’re not getting the best of them. How many tickets is your IT team processing each month?
Even if you’re willing to leave your people to do the grunt work, consider that bored people are highly prone to making mistakes. By pushing so many monotonous tasks to highly skilled, under-utilized talent, you’re not only accepting molasses-based-operations, but also subjecting your operations to routine glitches. People make mistakes. They miss things. They get sick. The quit. Especially when they’re tired of doing the same things over and over. Little debate here.
We talked about the threat window that’s left open on deprovisioning, but there’s more. Hundreds if not thousands of tickets processes manually each month - most of these are privileged operations. Every time a ticket gets processed, someone is accessing your systems and data with privileged credentials. From where? From their laptops and desktops, home office, corner cafe? All the above. Hundreds of privileged doors routinely opened. Now consider that just one of them clicks on that email link which infects their PC or connects from a rogue WIFI network. By leaving so many privileged tasks in a non-automated state, you’re inviting a serious security breach. I have personally seen companies experience data breaches from these types of scenarios, not once, but multiple times over.
Automation to the rescue! Automation is the game changer. To remain competitive in today’s global economy, automation is essential.
Maybe you’re nodding in agreement, but you’ve already looked at automation and became overwhelmed with the size and scope. A set of requirements gets merged with other requirements in the org. Soon an automation team is put in place with an org-wide mandate. Your identity needs sink to the bottom of a multi-department requirements list. The ocean begins a slow boil.
The automation team isn’t getting this done. So where do you turn? You direct your team to look for a solution. Many options are considered: Automation Anywhere? Workato? UI Path? ServiceNow? So many choices, but nothing quite fits. Every option looks like a heavy lift and a long road to value.
While these are all fine products, they are not focused on the specific needs of IT and Identity Automation, they’re built for general business process automations – allowing your business users to automate lead management or order processing. They are not built for technically complex requirements of the IAM team. Each will offer “some” of the features you need, but all will fall short, and all will require a lot of custom work.
Those of you that have ServiceNow might elect to have a SNOW developer work on this. Yes, this will work, but it will be slow, and very costly. The talent is not easily available, it’s a substantial effort to connect all your systems, there’s several limitations that will put your finish line on a distant horizon, and your eyes will water when you see the long-term costs. ServiceNow is a great platform, but there’s a better way.
Others, looking to save, might be tempted to just use PowerShell and Azure Runbooks or Power Automate. These are great tools and can also get the job done but the results will resemble band-aids and bailing wire. It’s cheap to start, but you’ll be forced to rip it out at some point. It’s lacking one very critical feature: Governance. You put IGA in for governance ... how will you govern this automation? You can get it to work, but it’s not where you want to be long term.
This is why we created the READI platform. It’s a purpose built back-office automation platform that is specially designed to rapidly “connect the dots”. It makes it exceedingly simple to automate, manage, and govern your back-office operations. It’s ROI focused - low-cost, immediate payback. You get immediate value with a “get it done now” style, but with full security, governance, and compliance features.
On first contact, many are skeptical – and why wouldn’t you be? Every other solution, short of a raw band-aid approach has been a major undertaking, but the READI platform has proven Rapid, Repeatable value over and over. We’ve helped so many orgs take their processes and automate them in only a handful of weeks. It’s one of the reasons that some of the largest systems integrators worldwide have turned to the READI platform to assist their customers.
Almost every org has had to address automation issues with some raw PowerShell and Runbooks, or Power Automate. The READI platform allow you to take those automations and literally copy/paste into the platform. Immediate security, audit, and compliance benefits in a few hours…the beginning of your path with the READI platform.
Let’s find out! Start with an analysis of your ITSM tickets. One of our engineers was kind enough to share some code to connect to ServiceNow and dump out tickets to a CSV file for analysis. Run this on your own as pure PowerShell, but better yet, we can do this for you, no-charge, on the READI platform as part of a trial engagement.
With the data in hand, analyze your tickets to determine how many could be automated. You’ll be surprised at the number of repetitive tasks and the amount of privileged grunt work. One company we recently helped freed up 13 admins in only 45 days. I challenge you to hire 13 seasoned techs that can be up to speed on your infrastructure in 45 days! Imagine what you could do.
So, you’re SLAs measured in days are a symptom of a greater problem. We’ve explored the problem and we’ve seen that there’s a solution to this problem. But you’re probably now thinking, “We don’t have time to deal with this right now… we’ll consider it next year.” It’s ironic that the resource limits are in fact another symptom of the problem. That’s why we offer professional services to accompany our READI platform. Our engineers have decades of back-end automation experience. They have done this for companies exactly like yours, many times over. They will engage and in weeks you will see benefits. Jean-Paul Calabio, CISO at Alorica (a 100K employee enterprise) took us up on the offer and said: “We were amazed at how quickly we could automate our identity processes with Readibots.” Have an SI you’re already working with? The largest SI’s in the world use the READI platform to address their customer needs. There’s never been a better time than now. The people needed are available. It’s just the power of a decision that is needed.
In only weeks you will:
Take the next step. Visit us at: readibots.com and inquire. Let us show you how to transform your Identity processes Now!